Use this file to discover all available pages before exploring further.
Build your Internal PKI through a Private Certificate Authority (CA) hierarchy. This allows you to issue and manage X.509 certificates for internal services without relying on external CAs.
This page is for product admins setting up PKI infrastructure. Teams issuing certificates should see Applications.
Create a simple Private CA hierarchy with a root CA and intermediate CA.
Infisical UI
API
1
Create a root CA
If you have an existing external root CA, skip to step 2.Go to Certificate Manager → Certificate Authorities → Internal and click Create CA.Set the CA Type to Root and fill out details for the root CA:
Valid Until: The date until which the CA is valid in the date time string format specified here. For example, the following formats would be valid: YYYY, YYYY-MM, YYYY-MM-DD, YYYY-MM-DDTHH:mm:ss.sssZ.
Path Length: The maximum number of intermediate CAs that can be chained to this CA. A path of -1 implies no limit; a path of 0 implies no intermediate CAs can be chained.
Key Algorithm: The type of public key algorithm and size, in bits, of the key pair that the CA creates when it issues a certificate. Supported key algorithms are RSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384 with the default being RSA 2048.
Name: A slug-friendly name for the CA.
Organization (O): The organization name.
Country (C): The country code.
State or Province Name: The state or province.
Locality Name: The city or locality.
Common Name: The name of the CA.
The Organization, Country, State or Province Name, Locality Name, and Common Name make up the Distinguished Name (DN) or subject of the CA.
At least one of these fields must be filled out.
2
Creating an intermediate CA
To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.Next, press the Install CA Certificate option on the intermediate CA. You will be presented with the installation method selector. Choose how the signing certificate should be issued:
Infisical CA
Manual
External CA
Select Infisical CA and press Continue. This option chains the intermediate CA to a root or intermediate CA managed by Infisical.Set the Parent CA to the root CA created in step 1 and configure:
Parent CA: The parent CA to chain to (the root CA from step 1).
Valid Until: Must be within the validity period of the parent CA.
Path Length: Must be less than the parent CA’s path length.
Press Install to chain the intermediate CA to the root CA. This creates a CSR, signs it with the root CA, and imports the certificate.You’ve successfully created a Private CA hierarchy. Now check out the Applications section to learn more about issuing certificates.
Select Manual and press Continue. This option allows you to sign the intermediate CA certificate using an external root CA that you manage outside of Infisical.Use the provided CSR to generate a certificate from your external root CA. Paste the PEM-encoded certificate into Certificate Body and the root CA certificate into Certificate Chain.Press Install to import the certificate.You’ve successfully created a Private CA hierarchy with an intermediate CA chained to an external root CA. Now check out the Applications section to learn more about issuing certificates.
Select External CA (Automated) and press Continue. This option connects to a third-party CA provider to handle certificate signing and renewal automatically via API.Infisical currently supports the following external CA providers for signing intermediate CAs:
When using an external CA, the certificate issued by the provider must correspond to the CSR generated by Infisical.
If the external CA returns a certificate that does not match the CSR (e.g., different subject or key), the installation will fail.
Refer to the provider-specific documentation linked above for detailed setup and installation instructions.
1
Creating a root CA
If you wish to use an external root CA, you can skip this step and head to step 2 to create an intermediate CA.To create a root CA, make an API request to the Create CA API endpoint, specifying the type as root.
By default, Infisical creates a root CA with the RSA_2048 key algorithm, validity period of 10 years, with no restrictions on path length;
you may override these defaults by specifying your own options when making the API request.
2
Creating an intermediate CA
To create an intermediate CA, make an API request to the Create CA API endpoint, specifying the type as intermediate.
You’ve successfully chained an intermediate CA to an external root CA. Now check out the Applications page to learn more about issuing certificates.
You can use an external CA provider to automatically sign the intermediate CA certificate via API. See the provider-specific documentation for the full API workflow:
When using an external CA, the certificate issued by the provider must correspond to the CSR generated by Infisical.
If the external CA returns a certificate that does not match the CSR, the installation will fail.
Infisical supports RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384 key algorithms specified at the time of creating a CA.
Does Infisical support chaining an Intermediate CA to an external CA?
Yes. You can either manually obtain a CSR and import the signed certificate, or use an integrated external CA provider like Venafi TLS Protect Cloud or Azure AD CS to automate the signing process.
